University of Illinois Urbana-Champaign

Investigating system intrusions with data provenance analytics

Hassan, Wajih Ul

Content Files
HASSAN-DISSERTATION-2021.pdf

Permalink

https://hdl.handle.net/2142/113904

Description

Title
Investigating system intrusions with data provenance analytics
Author(s)
Hassan, Wajih Ul
Issue Date
2021-12-03
Director of Research (if dissertation) or Advisor (if thesis)
Bates, Adam
Doctoral Committee Chair(s)
Bates, Adam
Committee Member(s)
  • Bailey, Michael
  • Gunter, Carl
  • Paxson, Vern
  • Xu, Dongyan
Department of Study
Computer Science
Discipline
Computer Science
Degree Granting Institution
University of Illinois at Urbana-Champaign
Degree Name
Ph.D.
Degree Level
Dissertation
Date of Ingest
2022-04-29T21:34:49Z
Keyword(s)
  • Security
  • Audit
  • Data Provenance
  • Forensic Analysis
Abstract
To aid threat detection and investigation, enterprises are increasingly relying on commercially available security solutions, such as Intrusion Detection Systems (IDS) and Endpoint Detection and Response (EDR) tools. These security solutions first collect and analyze audit logs throughout the enterprise and then generate threat alerts when suspicious activities occur. Later, security analysts investigate those threat alerts to separate false alarms from true attacks by extracting contextual history from the audit logs, i.e., the trail of events that caused the threat alert. Unfortunately, investigating threats in enterprises is a notoriously difficult task, even for expert analysts, due to two main challenges. First, existing enterprise security solutions are optimized to miss as few threats as possible – as a result, they generate an overwhelming volume of false alerts, creating a backlog of investigation tasks. Second, modern computing systems are operationally complex that produce an enormous volume of audit logs per day, making it difficult to correlate events for threats that span across multiple processes, applications, and hosts. In this dissertation, I propose leveraging data provenance analytics to address the challenges mentioned above. I present five provenance-based techniques that enable system defenders to effectively and efficiently investigate malicious behaviors in enterprise settings. First, I present NoDoze, an alert triage system that automatically prioritizes generated alerts based on their anomalous contextual history. Following that, RapSheet brings benefits of data provenance to commercial EDR tools and provides compact visualization of multi-stage attacks to system defenders. Swift then realized a provenance graph database that generates contextual history around generated alerts in real-time even when analyzing audit logs containing tens of millions of events. Finally, OmegaLog and Zeek Agent introduced the vision of universal provenance analysis, which unifies all forensically relevant provenance information on the system regardless of their layer of origin, improving investigation capabilities.
Graduation Semester
2021-12
Type of Resource
Thesis
Permalink
http://hdl.handle.net/2142/113904
Copyright and License Information
Copyright 2021 Wajih Ul Hassan

Owning Collections

Graduate Dissertations and Theses at Illinois PRIMARY
Graduate Theses and Dissertations at Illinois